Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Security release pre-announcement messages
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Stiepan <stie () protonmail ch>
Date: Thu, 25 Jul 2019 21:35:45 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
I would like to congratulate the teams that do that. If public disclosure is deemed too dangerous before a patch is
available, this looks like The reasonable tradeoff. Wish it was the same with Linux...
Rationale: people could switch meanwhile to a known safe kernel. That would provide peace of mind to the "rest of us"
who don't have the keys to the linux-distros kingdom of the elected few, yet wish to have secure OSes, without a window
of vulnerability open to whoever hacked into the elected few's machines (or are entitled another way to this secret
information).
It would also make Linux governance way more democratic, which seems to be a must for such a "too big to fail" core
open-source software.
Cheers,
Stiepan
Envoyé depuis ProtonMail mobile
-------- Message d'origine --------
On 23 juil. 2019 à 23:55, Douglas Bagnall a écrit :
On 22/07/19 11:50 PM, Solar Designer wrote:
Exactly. It's just an unusual disclosure process that involves giving
the users a heads-up a few days before public disclosure of the actual
vulnerabilities and fixes. So far, this process is practiced by OpenSSL
and Exim (any others?)
On the Samba team we use wording like this:
https://lists.samba.org/archive/samba/2019-June/223621.html
----------------------------
Subject: Heads-up: Security Releases ahead!
Hi,
This is a heads-up that there will be Samba security updates on
Wednesday, June 19 2019. Please make sure that your Samba
servers will be updated soon after the release!
Impacted components:
- AD DC (CVSS 6.5, Medium)
-----------------------------
We now do this systematically, after a haphazard start.
To help ourselves stay on track, we are trying to formalise our
process into something approaching a checklist:
https://wiki.samba.org/index.php/Samba_Security_Process
and we are happy to hear suggestions for improvement.
cheers,
DouglasAttachment:
publickey - stie@protonmail.ch - 0xADF18750.asc
Description:
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Heiko Schlittermann (Jul 22)
Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Mikhail Klementev (Jul 22)
Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Stuart Henderson (Jul 22)
Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Mikhail Klementev (Jul 22)
Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Solar Designer (Jul 22)
Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Amos Jeffries (Jul 22)
Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Ian Zimmerman (Jul 22)
Security release pre-announcement messages Douglas Bagnall (Jul 24)
Re: Security release pre-announcement messages Stiepan (Jul 26)
Re: Security release pre-announcement messages Greg KH (Jul 26)
Re: Security release pre-announcement messages Greg KH (Jul 26)
Re: Security release pre-announcement messages Stiepan (Jul 26)
Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Heiko Schlittermann (Jul 22)
Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Eric Blake (Jul 22)
Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Heiko Schlittermann (Jul 22)
Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Solar Designer (Jul 26)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->